I would welcome a discussion of wrong (or bad) patterns. Lately I spend
about half my development time fixing things that are done wrong.
-Adrian
On 2/27/2012 7:26 PM, [email protected] wrote:
Author: jacopoc
Date: Mon Feb 27 19:26:23 2012
New Revision: 1294291
URL: http://svn.apache.org/viewvc?rev=1294291&view=rev
Log:
Fixed permission service for creation/update of order adjustment that was
completely wrong (probably because it has been copied from another service from
the Party component and then not properly completed): the end result was that
the service always granted the rights to perform the task.
As a side note, the service is still using incorrectly the _ROLE permission but
this is a broader issue (a wrong pattern used everywhere in OFBiz) and for this
I would like to fix it everywhere after discussion with the community.
Modified:
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
ofbiz/trunk/applications/order/servicedef/services.xml
Modified:
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml?rev=1294291&r1=1294290&r2=1294291&view=diff
==============================================================================
---
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
(original)
+++
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
Mon Feb 27 19:26:23 2012
@@ -21,40 +21,28 @@ under the License.
<simple-methods xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/simple-methods.xsd";>
-<!-- Returns hasPermission=true if userLogin partyId equals partyId parameter
- Only the order owner should be able to cancel an item from Ecommerce
- -->
-<simple-method method-name="orderAdjustmentPermissionCheck" short-description="Party
contact mech permission logic">
-<if-empty field="parameters.partyId">
-<set field="parameters.partyId" from-field="userLogin.partyId"/>
-</if-empty>
-<if-compare-field to-field="userLogin.partyId" field="parameters.partyId"
operator="equals">
-<set field="hasPermission" type="Boolean" value="true"/>
-<field-to-result field="hasPermission"/>
+<simple-method method-name="orderAdjustmentPermissionCheck"
short-description="Permission service for the creation and editing of order adjustments">
+<set field="primaryPermission" value="ORDERMGR"/>
+<set field="altPermission" value="ORDERMGR_ROLE"/>
+<set field="mainAction" from-field="parameters.mainAction"/>
+<call-simple-method method-name="genericBasePermissionCheck"
xml-resource="component://common/script/org/ofbiz/common/permission/CommonPermissionServices.xml"/>
+<if-compare field="hasPermission" operator="not-equals" value="true">
+<set field="resourceDescription" from-field="parameters.resourceDescription"/>
+<if-empty field="resourceDescription">
+<property-to-field resource="CommonUiLabels" property="CommonPermissionThisOperation"
field="resourceDescription"/>
+</if-empty>
+<if-compare field="mainAction" value="CREATE" operator="equals">
+<property-to-field resource="OrderErrorUiLabels"
property="OrderSecurityErrorToRunCreateOrderAdjustement" field="failMessage"/>
+</if-compare>
+<if-compare field="mainAction" value="UPDATE" operator="equals">
+<property-to-field resource="OrderErrorUiLabels"
property="OrderSecurityErrorToRunAutoCreateOrderAdjustments" field="failMessage"/>
+</if-compare>
+<set field="hasPermission" type="Boolean" value="false"/>
+<field-to-result field="failMessage"/>
<else>
-<set field="primaryPermission" value="ORDERMGR"/>
-<set field="altPermission" value="ORDERMGR_ROLE"/>
-<set field="mainAction" from-field="parameters.mainAction"/>
-<call-simple-method method-name="genericBasePermissionCheck"
xml-resource="component://common/script/org/ofbiz/common/permission/CommonPermissionServices.xml"/>
-<if-compare field="hasPermission" operator="not-equals" value="true">
-<set field="resourceDescription" from-field="parameters.resourceDescription"/>
-<if-empty field="resourceDescription">
-<property-to-field resource="CommonUiLabels" property="CommonPermissionThisOperation"
field="resourceDescription"/>
-</if-empty>
-<if-compare field="mainAction" value="CREATE" operator="equals">
-<property-to-field resource="OrderErrorUiLabels"
property="OrderSecurityErrorToRunCreateOrderAdjustement" field="failMessage"/>
-</if-compare>
-<if-compare field="mainAction" value="UPDATE" operator="equals">
-<property-to-field resource="OrderErrorUiLabels"
property="OrderSecurityErrorToRunAutoCreateOrderAdjustments" field="failMessage"/>
-</if-compare>
-<set field="hasPermission" type="Boolean" value="false"/>
-<field-to-result field="failMessage"/>
-<else>
-<field-to-result field="hasPermission"/>
-</else>
-</if-compare>
+<field-to-result field="hasPermission"/>
</else>
-</if-compare-field>
+</if-compare>
</simple-method>
<simple-method method-name="createOrderAdjustment" short-description="Create an
OrderAdjustment">
Modified: ofbiz/trunk/applications/order/servicedef/services.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services.xml?rev=1294291&r1=1294290&r2=1294291&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/servicedef/services.xml (original)
+++ ofbiz/trunk/applications/order/servicedef/services.xml Mon Feb 27 19:26:23
2012
@@ -184,12 +184,8 @@ under the License.
<service name="orderAdjustmentPermissionCheck" engine="simple"
location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml"
invoke="orderAdjustmentPermissionCheck">
-<description>
- Performs a party contact mech security check. The userLogin
partyId must equal the partyId parameter.
- Only the order owner should be able to cancel an item from
Ecommerce.
-</description>
+<description>Permission service for the creation and editing of order
adjustments</description>
<implements service="permissionInterface"/>
-<attribute name="partyId" type="String" mode="IN" optional="true"/>
</service>
<service name="createOrderAdjustment" default-entity-name="OrderAdjustment"
engine="simple"
